[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Martin Kosek
mkosek at redhat.com
Wed May 27 09:59:13 UTC 2015
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
> On Wed, 27 May 2015, Martin Kosek wrote:
>> On 05/26/2015 05:40 PM, Jan Cholasta wrote:
>>> Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
>> ...
>>>> Finally I haven't figured out the best way to configure the instance. An
>>>> admin should be able to enable / disable KDC proxy. Should I write a
>>>> script or a ipa plugin for the job?
>>>
>>> A script, ipa-kdcproxy-install, if you want to be consistent with what's
>>> already there.
>>
>> I thought we wanted to install it by default and only switch it on/off via
>> configuration in LDAP. In that case, no ipa-*-install should be needed.
> As with any other feature which requires configuration of other
> components, if it wasn't installed before, you need to make sure you are
> able to configure it over upgraded instance. Not providing
> ipa-kdcproxy-install would mean you are not supporting an upgrade case.
I do not disagree with the approach for optional components. But as I wrote
above, this was supposed to be configured everywhere by default - both on new
and upgraded installations.
AFAIK, it is mostly just one config for Apache and wsgi script.
More information about the Freeipa-devel
mailing list